How does the attack work?
There are lots of ways in which an end-user can be tricked into submitting information to or loading from a web application. In order to execute an attack, we need to first understand how to generate a malicious request for our victim to execute.
Let us consider the following example: Sawyerr wishes to transfer #1,000 to Segun using http://bank.com. The request generated by Sawyerr will look similar to the following:
POST http://bank.com/transfer.do HTTP/1.1
However, Titi discovers that this web application in question will execute the same transfer using the URL parameters below:
GET http://bank.com/transfer.do?acct=Segun&amount=1000 HTTP/1.1
Titi now decides to exploit this web application vulnerability using Sawyerr as her victim. Titi first constructs this URL which will transfer #100,000 from Sawyerr's account right to her account.
Now that she has generated her malicious request, Titi needs to trick Sawyerr into submitting it. The easiest way to do this is to send Sawyerr an HTML mail containing the following:
<a href="http://bank.com/transfer.do?acct=Titi&amount=100000">View my Pictures!</a>
We are doing this in assumption that Sawyerr is authenticated with the web application when he clicks the link, the transfer of #100,000 to Titi's account will occur.
But lets say Titi realizes that Sawyerr will notice that a transfer will occur if he clicks the link, Titi can decide to hide the attack in a zero-byte image as below:
<img src="http://bank.com/transfer.do?acct=Titi&amount=100000" width="1" height="1" border="0">
If the code above were included in the email, Sawyerr would only see a little box indicating that the browser could not render the image. However, the browser will still submit the request to bank.com without any vindication(visual) that the transfer has taken place.
How to Prevent this type of attack
Use the cheat sheet provided by OWASP here to prevent this type of attack.